NetScaler support for SSL Profile Converter Tool

Author: Subhojit Goswami, Satyam Mehrotra and Lahari Panga

Introduction to Profiles

SSL/TLS is a core tenet of NetScaler which caters to the ever-changing security landscape of application delivery for any organization. NetScaler has a robust SSL/TLS feature stack with some of the core features such as TLS Offload, etc.

To leverage the feature stack, one needs to configure the Netscaler. Configuring the NetScaler can be a tedious and time-consuming process, as to cater to any enterprise organization, one needs to configure innumerable entities such as ‘n’ number of virtual servers, services, internal services, etc. Most of the time, the vast majority of these entities will have identical settings configured and if any kind of change is required then one needs to go to each of those entities and make the necessary changes in the configured setting. Hence, it creates a lot of repetitive processes which is not good for user experience.

To simplify the above issue, Netscaler introduced an entity known as ‘Profile’. With the ‘Profile’ entity, one can simply edit the settings on the Profile itself and then bind the Profile to all the other entities that have identical settings, thus mitigating the repetitive and time–consuming processes. Now, this Profile entity is extended to many other feature stacks such as TCP, SSL, HTTP, etc.

In this article, we will focus solely on the SSL Profile. Currently, there are two types of SSL Profile:

• Legacy SSL Profile
• Enhanced/Default SSL Profile

Both these Profiles solve the inherent issue of making identical SSL setting changes via the entity-specific SSL parameter setting, where one has to go and make the necessary changes on every entity like virtual servers, services, etc.

Deep dive into Legacy and Enhanced/Default SSL Profile

Let's take a closer look at the Legacy SSL Profile. The Legacy SSL Profile inherits all the parameters of the SSL context entities (virtual servers/ services/ service groups/internal services of type SSL) into the profile. Bindings such as ECC curves and Ciphers are left out of the profile and are still part of the original SSL contexts. Users can set the SSL profile on the SSL context entities by using a set command. For example:

set ssl vserver <name> -sslprofile <name of ssl profile>

If this command is successful, then the parameter values are taken from the SSL Profile instead of the SSL vserver. As pointed out earlier, ECC curves and ciphers are still kept with vserver (in this example). This is how a show command output will look like:

sh ssl vserver v1

     Advanced SSL configuration for VServer v1:

     Profile Name :ns_default_ssl_profile_frontend

     ECC Curve: P_256, P_384, P_224, P_521

1)  Cipher Name: DEFAULT

     Description: Default cipher list with encryption strength >= 128 bit

To mitigate the above-mentioned limitations of Legacy SSL Profile, Enhanced/Default SSL Profile can be leveraged. A Enhanced/Default SSL Profile contains all the necessary settings an SSL context can have, and it also includes ECC curve and cipher bindings.

To enable enhanced SSL Profile, one can run the following command:

set ssl parameter -defaultProfile ENABLED

When the user runs this command, all the profiles present in the system get converted to Enhanced SSL profile. The command for setting profile on vserver remains the same as before:

set ssl vserver <name> -sslprofile <name of ssl profile>

Show output will look like this:

> sh ssl vserver v1

     Advanced SSL configuration for VServer v1:

     Profile Name :ns_default_ssl_profile_frontend

 Done

As seen here, since the ECC and cipher bindings are also a part of the profile, we do not see them as a part of sh ssl vserver output. To see the details of a profile, we can run 

show ssl profile <name> command.

Enhanced SSL profile is a powerful concept, and it takes all the advantages of profile infrastructure. NetScaler also provides a few default ssl profiles for use. Here is a list of default ssl profiles:

ns_default_ssl_profile_backend

ns_default_ssl_profile_frontend               

ns_default_ssl_profile_internal_frontend_service

ns_default_ssl_profile_secure_frontend           

ns_default_ssl_profile_quic_frontend         

ns_default_ssl_profile_secure_frontend_cloud

The ns_default_ssl_profile_frontend and ns_default_ssl_profile_backend are the most important SSL profiles. When a user enables default SSL profile, all the front-end entities like virtual servers get attached to ns_default_ssl_profile_frontend profile and the backend entities like service and service group get attached to ns_default_ssl_profile_backend profile. These two profiles are editable, and the user is allowed to make modifications.

One significant thing that a user needs to make a note of is that once the Enhanced Profile is enabled (set ssl parameter -defaultProfile ENABLED) it cannot be undone. The only way to revert is to do a clear configuration on NetScaler.

Need for the migration from Legacy to Enhanced/Default SSL Profile

Along with overcoming the limitations posed by the Legacy SSL Profile with the inception of Enhanced/Default SSL Profile, there is another major factor that makes Enhanced/Default SSL Profile the latest and the greatest of the SSL Profile infrastructure, i.e., all the new features are/will only be available on Enhanced/Default SSL Profile. So, for one to leverage the SSL/TLS stack to its fullest and utilize the latest features, it is the hour of need for one to migrate from the Legacy SSL Profile to the Enhanced/Default SSL Profile.

The following are some of the TLS features that are available only in an Enhanced/Default SSL Profile:

• TLSv1.3
• SSL Interception
• Session Ticket
• Allow Extended Master Secret
• ALPN Protocol
• Use only bound CA certificates
• allowUnknownSNI

Migrating from the Legacy SSL Profile to the Enhanced/Default SSL Profile can be a very tedious and time-consuming process, as there can be n number of Legacy SSL Profiles applied to n number of entities. So, to ease the pain of the user, NetScaler came up with an SSL Profile Converter Tool for seamless migration,  taking the overarching process pain from the user’s hands. We are also pleased to state that this tool has now been integrated with the NetScaler GUI which makes it even simpler for a user to convert, just with a click of a button.

But first, let’s see how the tool works under the hood:

The tool takes a given NetScaler configuration file and scans it. Post scanning it intelligently segregates entities with identical settings like ‘n’ number of vservers having Legacy Profiles with identical settings, etc., it also takes care of entity-specific settings, i.e., entities having no Profile. Once the segregation has been done, the tool generates the corresponding Enhanced/Default SSL Profile for each cohort and finally writes the changes into an output batch file. Thus, completely automating the migration process and improving the user experience.

Now let’s take a look at the steps needed to be adhered to by a user from the NetScaler ADC GUI perspective to use this particular tool:

The tool resides in: Traffic Management > SSL > Tools > SSL Profile Converter.

1. First and foremost, the user has to save the NetScaler configuration. After that one needs to click on the checkbox indicating that the configuration has been saved, then click on the “Run SSL Profile Conversion” button which converts and produces a batch file with all the Enhanced SSL Profiles in it.

Output file location when using admin partitions and running the script from CLI: /nsconfig/partitions/<partition_name>/sslprofile_cmds.txt.

Output file location when using the default partition and running the script from CLI or GUI: /nsconfig/sslprofile_cmds.txt.

2. Once the conversion has been successful, the user needs to review the output file, which can be done instantaneously by clicking on the “View” button, or by clicking on the “ Download” button to download and review it  later.
3. Once the reviewing is done, one can simply enable the Default SSL Profile first with the following command: set ssl parameter -defaultProfile ENABLED
4. And then batch the output file. Thus, having a seamless transition.

In this way, a user can seamlessly transition from SSL Legacy Profile/No Profile to Enhanced/Default SSL Profile with just the click of a button.

THANK YOU!